Chapter 3

LFSR-based Stream Ciphers

In order to minimize the size of the internal state, stream ciphers dedicated to low-cost hard- ware implementations may use a linear transition function. Among all such possibilities, linear feedback shift registers (LFSRs) offer several advantages including their performance, their implementation cost and many theoretical results on the statistical properties of the produced sequences. LFSR-based generators are then probably the most commonly studied class of keystream generators. This class includes both hardware-oriented stream ciphers and software-oriented ciphers, but this second type of applications usually relies on non-binary LF- SRs, operating on a larger alphabet (e.g. on 32-bit words). The most widely used LFSR-based stream ciphers include E0 (used in the Bluetooth standard), A5/1 used for encrypting the over- the-air communications in the GSM cellular telephone standard, SNOW 2.0 (ISO/IEC 18033-4 standard) and its variant SNOW 3G used in UMTS 3G networks. In most practical LFSR-based generators used nowadays, the internal state is divided into two parts: one is updated linearly by an LFSR, and the other one is updated with a nonlinear function in order to prevent the main attacks exploiting the linearity of the transition function. This nonlinear part may be small (and seen as a nonlinear memory) as in E0 or SNOW 2.0, or both parts of the internal state may be of equal size, like in MUGI or Grain.

3.1 Main properties of LFSRs

3.1.1 Definitions

An LFSR of length L over Fq is a finite state automaton which produces a semi-infinite sequence of elements of Fq, s = (st)t≥0, satisfying a linear recurrence relation of degree L over Fq L X st+L = cist+L−i, ∀t ≥ 0 . i=1

The L coefficients c1, . . . , cL are elements of Fq. They are called the feedback coefficients of the LFSR. The Fibonacci representation of an LFSR of length L over Fq has the form depicted on Figure 3.1. The register consists of L delay cells, called stages, each containing an element of Fq. The contents of the L stages, st, . . . , st+L−1, form the state of the LFSR. The L stages are initially loaded with L elements, s0, . . . , sL−1, which can be arbitrary chosen in Fq; they form the initial state of the register.

43 44 Chapter 3. LFSR-based Stream Ciphers

st+L -st+L−1 -st+L−2 - ... - st+1 - st - output ? ? ? ? c1 c2 cL−1 cL ? ? ? +  +  +         Figure 3.1: Fibonacci representation of an LFSR of length L.

The shift register is controlled by an external clock. At each time unit, each digit is shifted one stage to the right. The content of the rightmost stage st is output. The new content of the leftmost stage is the feedback bit, st+L. It is obtained by a linear combination of the contents of the register stages, where the coefficients of the linear combination are given by the feedback coefficients of the LFSR: L X st+L = cist+L−i . i=1 Therefore, the LFSR implements the linear recurrence relation of degree L: L X st+L = cist+L−i, ∀t ≥ 0 . i=1 Example 3.1. A binary LFSR of length 4. Table 3.1 gives the successive states of the binary LFSR of length 4 with feedback coefficients c1 = c2 = 0, c3 = c4 = 1 and with initial state (s0, s1, s2, s3) = (1, 0, 1, 1). This LFSR is depicted in Figure 3.2. It corresponds to the linear recurrence relation st+4 = st+1 + st mod 2 .

The output sequence s0s1 ... generated by this LFSR is 1011100 ....

Figure 3.2: Binary LFSR with feedback coefficients (c1, c2, c3, c4) = (0, 0, 1, 1)

- - - - -

? + i

Feedback polynomial and characteristic polynomial. The output sequence of an LFSR is uniquely determined by its feedback coefficients and its initial state. The feedback coef- ficients c1, . . . , cL of an LFSR of length L are usually represented by the LFSR feedback polynomial (or connection polynomial) defined by

L X i P (X) = 1 − ciX . i=1 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 45

Table 3.1: Successive states of the LFSR with feedback coefficients (c1, c2, c3, c4) = (0, 0, 1, 1) and with initial state (s0, s1, s2, s3) = (1, 0, 1, 1) t 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

st 1 0 1 1 1 1 0 0 0 1 0 0 1 1 0 1 st+1 0 1 1 1 1 0 0 0 1 0 0 1 1 0 1 0 st+2 1 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 st+3 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 1

Alternatively, one can use the characteristic polynomial, which is the reciprocal polynomial of the feedback polynomial:

L ? L L X L−i P (X) = X P (1/X) = X − ciX . i=1 For instance, the feedback polynomial of the binary LFSR shown in Figure 3.2 is P (X) = 1 + X3 + X4 and its characteristic polynomial is P ?(X) = 1 + X + X4.

Non-singular LFSRs. An LFSR is said to be non-singular if the degree of its feedback polynomial is equal to the LFSR length (i.e., if the feedback coefficient cL differs from 0). In this case, the transition function of the LFSR is bijective. Any sequence generated by a non-singular LFSR of length L is periodic, and its period does not exceed qL − 1. Indeed, the LFSR has at most qL different states and the all-zero state is always followed by the all-zero state. Moreover, if the LFSR is singular, all generated sequences are ultimately periodic, i.e., the sequences obtained by ignoring a certain number of elements at the beginning are periodic.

3.1.2 Characterization of LFSR output sequences L A given LFSR of length L over Fq can generate q different sequences corresponding to L the q different initial states and these sequences form a vector space over Fq. The set of all sequences generated by an LFSR with feedback polynomial P is characterized by the following property [Zie59].

Theorem 3.1. A sequence (st)t≥0 is generated by an LFSR of length L over Fq with feedback polynomial P if and only if there exists a polynomial Q ∈ Fq[X] with deg(Q) < L such that the generating function of (st)t≥0 satisfies

X Q(X) s Xt = . t P (X) t≥0

Moreover, the polynomial Q is completely determined by the coefficients of P and by the initial state of the LFSR: L−1 k ! X j X Q(X) = − X skcj−k , j=0 k=0 PL i where P (X) = − i=0 ciX . 46 Chapter 3. LFSR-based Stream Ciphers

Proof.

L ! ∞ ! ∞  j  X i X t X j X − ciX stX = X − skcj−k i=0 t=0 j=0 k=max(0,j−L) L−1 j ! ∞  j  X j X X j X = − X skcj−k + X  skcj−k . j=0 k=0 j=L k=j−L

Therefore, we deduce that

L ! ∞ ! X i X t Q(X) = − ciX stX i=0 t=0 is a polynomial of degree strictly less than L if and only if the second right-hand term vanishes, i.e., j X skcj−k = 0 k=j−L for all j ≥ L. 

This result, which is called the fundamental identity of formal power series of linear re- curring sequences, means that there is a one-to-one correspondence between the sequences generated by an LFSR of length L with feedback polynomial P and the fractions Q(X)/P (X) with deg(Q) < L. It has two major consequences. On the first hand, any sequence generated by an LFSR with feedback polynomial P is also generated by any LFSR whose feedback poly- nomial is a multiple of P . This property is widely used for attacking LFSR-based generators (e.g., in distinguishing attacks, and in fast correlation attacks). It may also be helpful since some multiple of the feedback polynomial may provide more appropriate representations in some contexts.

Example 3.2. Let s be a binary sequence satisfying

st+6 = st+4 + st+3 + st+1 + st, ∀t ≥ 6 .

The corresponding feedback polynomial is then P (X) = 1 + X2 + X3 + X5 + X6. It then follows that s also satisfies st+8 = st+7 + st since 1 + X + X8 = (1 + X2 + X3 + X5 + X6)(1 + X + X2). This alternative recursion may then have a lower implementation cost because of its sparsity.

On the other hand, Theorem 3.1 implies that a sequence generated by an LFSR with feedback polynomial P is also generated by a shorter LFSR with feedback polynomial P 0 if the corresponding fraction Q(X)/P (X) is such that gcd(P,Q) 6= 1. Thus, amongst all sequences generated by the LFSR with feedback polynomial P , there is one which can be generated by a shorter LFSR if and only if P is not irreducible over Fq. This leads to the following natural notion of minimal polynomial. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 47

Definition 3.2. For any linear recurring sequence (st)t≥0, there exists a unique polynomial P0 with constant term equal to 1, such that the generating function of (st)t≥0 is given by

X t stX = Q0(X)/P0(X) t≥0

where P0 and Q0 are relatively prime. Then, the shortest LFSR which generates (st)t≥0 has length L = max(deg(P0), deg(Q0) + L 1), and its feedback polynomial is equal to P0. The reciprocal polynomial of P0, X P0(1/X), is the characteristic polynomial of the shortest LFSR which generates (st)t≥0; it is called the minimal polynomial of the sequence.

The minimal polynomial of a linear recurring sequence then determines the linear recur- rence relation of least degree satisfied by the sequence.

Example 3.3. The binary LFSR of length 10 depicted in Figure 3.3 has feedback polynomial

P (X) = 1 + X + X3 + X4 + X7 + X10 ,

and its initial state s0 . . . s9 is 1001001001.

Figure 3.3: Example of a LFSR of length 10.

- 1 - 0 - 0 - 1 - 0 - 0 - 1 - 0 - 0 - 1 - ? ? ? ? + + + + The generatingh function ofh the sequenceh produced by thish LFSR is given by

X Q(X) s Xt = t P (X) t≥0

where Q is deduced from the coefficients of P and from the initial state:

Q(X) = 1 + X + X7 .

Therefore, we have

X 1 + X + X7 1 s Xt = = , t 1 + X + X3 + X4 + X7 + X10 1 + X3 t≥0

3 4 7 10 7 3 since 1 + X + X + X + X + X = (1 + X + X )(1 + X ) in F2[X]. This implies that 3 (st)t≥0 is also generated by the LFSR with feedback polynomial P0(X) = 1 + X depicted in Figure 3.4. The minimal polynomial of the sequence is then 1 + X3.

Obviously, in all cryptographic applications, the feedback polynomials of LFSRs are always chosen irreducible. 48 Chapter 3. LFSR-based Stream Ciphers

Figure 3.4: LFSR of length 3 which generates the same sequence as the LFSR in Figure 3.3

- 0 - 0 - 1 -

3.1.3 Period of a linear recurring sequence Another important role played by the minimal polynomial is that it determines the period of a linear recurring sequence.

Proposition 3.3. The least period of a linear recurring sequence is equal to the order of its e minimal polynomial P0, i.e., to the least positive integer e for which P0(X) divides X + 1. For instance, the sequence studied in Example 3.3 has minimal polynomial X3 + 1. Then, it has period 3. On the other hand, any non-zero sequence generated by the LFSR of length 4 depicted in Figure 3.2 has period 24 − 1 = 15. Indeed, the minimal polynomial of any such 4 sequence corresponds to its characteristic polynomial P0(X) = 1 + X + X , because P0 is irreducible. We directly deduce from Proposition 3.3 that a sequence has maximal period 2deg P0 − 1 if and only if P0 is a primitive polynomial. The sequences produced by an LFSR with primitive feedback polynomial are called maximal-length sequences (m-sequences).

3.1.4 Statistical properties of m-sequences Maximum-length sequences, i.e., the linear recurring sequences produced by an LFSR with primitive feedback polynomial, possess several good statistical properties which make them appropriate building-blocks in keystream generators. For instance, any binary sequence produced by an LFSR of length L with primitive feed- back polynomial satisfy the following properties. The first three properties are called Golomb’s randomness postulates [Gol82].

• Balance property: The difference between the number of ones and the number of zeroes in any window of 2L − 1 consecutive bits is equal to 1:

L L #{i, st0+i = 1, 0 ≤ i < 2 − 1} − #{i, st0+i = 0, 0 ≤ i < 2 − 1} = 1 .

• Runs: a run is a set of consecutive zeroes flanked by ones, or of consecutive ones flanked by zeroes. For instance, the sequence 0100011 has a run of zeroes of length 3. The proportion of runs of length i within any frame of (2L − 1) consecutive bits of an m- sequence is 2−i, 0 ≤ i < L. Moreover, among all runs of length i, i ≤ L − 2, the number of runs of zeroes and the number of runs of ones are equal. There is exactly one run of length (L − 1) and one run of length L (see Example 3.4).

• Two-level auto-correlation: The autocorrelation of a binary sequence of period N is defined by 2L−2 X s +s C(τ) = (−1) t t+τ mod (2L−1) . t=0 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 49

C(τ) then measures the distance between the sequence s0s1 . . . s2L−2 and the sequence obtained by shifting it by τ positions, i.e., sτ sτ+1 . . . sτ−1. Indeed, we have L L C(τ) = 2 − 1 − 2#{t, st 6= st+τ mod (2L−1), 0 ≤ t < 2 − 1} . In particular, C(τ) = 2L − 1 if and only if τ is a multiple of the period of the sequence since the two sequences are identical. For any m-sequence generated by an LFSR with primitive feedback polynomial of degree L, we have that, if τ is not a multiple of (2L −1), then C(τ) = −1. This means that the sequence is as far as possible from its shifted versions. This property is widely used in telecommunications for synchronization.

L • Multigram property: the L-tuple stst+1 . . . st+L−1 takes all the 2 − 1 nonzero values when t varies between 0 and (2L − 2). Some additional properties of m-sequences are detailed in [Hel11]. Example 3.4. Let us consider the first 31 bits of the binary sequence produced by the LFSR of length 5 with primitive feedback polynomial X5 + X3 + 1 from initial state 10000: 1000010101110110001111100110100 It can be checked that this sequence consists of 16 ones and 15 zeroes. It then satisfies the balance property. The sequence has 16 runs: 8 runs of length 1 (4 runs of zeroes and 4 runs of ones), 4 runs of length 2 (2 runs of zeroes and 2 runs of ones), 2 runs of length 3 (1 run of zeroes and 1 run of ones), one run of zeroes of length 4 and one run of ones of length 5.

3.1.5 LFSR and multiplication in a finite field The operation performed by a q-ary LFSR of length L with irreducible feedback polynomial corresponds to a multiplication in the finite field FqL . ? Proposition 3.4. Let P be an irreducible polynomial in Fq[X] with degree L. Let α ∈ FqL ? L−1 be a root of P and {β0, . . . , βL−1} denote the dual basis of {1, α, . . . , α }, i.e.,  0 if i 6= i Tr(αiβ ) = , j 1 if i = j where Tr denotes the trace function from FqL into Fq. Then, the content of the LFSR with characteristic polynomial P ? at time (t + 1) is equal to its content at time t multiplied by α, where these vectors are identified with elements in the field FqL decomposed on the basis {β0, . . . , βL−1}.

Proof. For any t, we identify an L-tuple (x0, . . . , xL−1) with an element in the finite field FqL by x = xL−1βn−1 + ... + x0β0 . Then, by definition of the dual basis, we have that, for any 0 ≤ i < L, L−1 i X i Tr(α x) = Tr(xjα βj) j=0 L−1 X i = xjTr(α βj) = xi . j=0 50 Chapter 3. LFSR-based Stream Ciphers

i This means that the i-th coordinate of x in the basis {β0, . . . , βL−1} is equal to Tr(α x). Let us now compute the coordinates of y = αx in this basis. The i-th coordinate of y is given by Tr(αiy) = Tr(αi+1x) . It follows that the i-th coordinate of y is equal to the (i + 1)-th coordinate of x if i < L − 1. For i = L − 1, the last coordinate of y is given by Tr(αL−1y) = Tr(αLx) L ! X L−i = Tr ciα x i=1 L L X L−i X = ciTr(α x) = cixL−i , i=1 i=1 ? L PL L−i where the characteristic polynomial is given by P (X) = X − i=1 ciX , implying that L PL L−i α = i=1 ciα . It follows that the coordinates of y = αx correspond to the content after one clock of the LFSR initialized by x. 

Galois representation. Since an LFSR with irreducible feedback polynomial is a device which implements the multiplication by an element α in a finite field, some alternate auto- L morphism between the FqL and Fq may be used without modifying the transition function 2 L−1 over FqL . Another natural representation is obtained when the basis {1, α, α , . . . , α } is used for representing the elements in FqL instead of the dual basis {β0, . . . , βL−1}. This repre- sentation is called the Galois representation, and corresponds to the “natural” multiplication circuit, i.e., the multiplication in the so-called polynomial basis. The Galois representation corresponding to the Fibonacci LFSR depicted on Figure 3.1 is given in Figure 3.5.

Figure 3.5: Galois representation of the LFSR depicted on Figure 3.1.

- 0 - - 0 - - - 0 - - 0 - st+L−1 + st+L−2 + st+1 + st 6l 6l l6

cL cL−1 cL−2 c1 6 6 6 6    

It is worth noticing that Fibonacci and Galois representations have different features. For instance, the Galois representation is obviously more efficient in software than the Fibonacci representation. Also, the diffusion within the register in the Galois representation is faster.

3.2 Linear complexity and LFSR synthesis

A fundamental quantity for a sequence is its linear complexity since it determines the smallest linear recursion satisfied by the sequence, or equivalently the length of the smallest LFSR generating the sequence. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 51

Definition 3.5. The linear complexity of a semi-infinite sequence s = (st)t≥0 of elements of Fq, Λ(s), is the smallest integer Λ such that s can be generated by an LFSR of length Λ over Fq, and is ∞ if no such LFSR exists. By way of convention, the linear complexity of the all- zero sequence is equal to 0. The linear complexity of a linear recurring sequence corresponds to the degree of its minimal polynomial. n n The linear complexity Λ(s ) of a finite sequence s = s0s1 . . . sn−1 of n elements of Fq is the length of the shortest LFSR which produces sn as its first n output terms for some initial state. The linear complexity of an infinite linear recurring sequence s and the linear complexity of the finite sequence sn composed of the first n digits of s are related by the following property: if s is an infinite linear recurring sequence with linear complexity Λ, then the finite sequence sn has linear complexity Λ for any n ≥ 2Λ [Mas69]. Moreover, the unique LFSR of length Λ that generates s is the unique LFSR of length Λ that generates sn for every n ≥ 2Λ.

3.2.1 Linear complexity as a statistical test n For a sequence s = s0s1 ..., the sequence of the linear complexities (Λ(s ))n≥1 of all sub- n sequences s = s0 . . . sn−1 composed of the first n terms of s is called the linear complexity profile of s. Proposition 3.6. [Rue86, Page 40] The expected linear complexity of a binary sequence sn = s0 . . . sn−1 of n independent and uniformly distributed binary random variables is n 4 + ε(n) n 2 E[Λ(sn)] = + + 2−n + , 2 18 3 9 where ε(n) = n mod 2. Therefore, it may be possible to distinguish a sequence from a truly random sequence by computing its linear complexity profile and comparing the result to what is expected from Proposition 3.6. Further results on the linear complexity and on the linear complexity profile of random sequences can be found in [Rue86].

3.2.2 Berlekamp-Massey algorithm The Berlekamp-Massey algorithm is an algorithm for determining the linear complexity of a finite sequence and the feedback polynomial of an LFSR of minimal length which generates this sequence. This algorithm is due to Massey [Mas69], who showed that the iterative algorithm proposed in 1967 by Berlekamp [Ber68] for decoding BCH codes can be used for finding the shortest LFSR that generates a given sequence. Given sequence sn of length n, the Berlekamp- Massey performs n iterations. The t-th iteration determines an LFSR of minimal length which generates the first t digits of sn. The algorithm is described in Algorithm 7. In the particular case of a binary sequence, the quantity d0 does not need to be stored since it is always equal to 1. Moreover, the feedback polynomial is simply updated by P (X) ← P (X) + P 0(X)Xt−m . The number of operations performed for computing the linear complexity of a sequence of length n is O(n2). It can be proved that the Berlekamp-Massey algorithm and the Euclidean algorithm are essentially the same [Dor87]. 52 Chapter 3. LFSR-based Stream Ciphers

Algorithm 7 The Berlekamp-Massey algorithm. n Input: s = s0s1 . . . sn−1, a sequence of n elements of Fq. Output: Λ, the linear complexity of sn and P , the feedback polynomial of an LFSR of length Λ which generates sn. /* Initialization */ P (X) ← 1, P 0(X) ← 1, Λ ← 0, m ← −1, d0 ← 1. /* Algorithm */ for t from 0 to n − 1 do PΛ d ← st + i=1 pist−i. if d 6= 0 then T (X) ← P (X). P (X) ← P (X) − d(d0)−1P 0(X)Xt−m. if 2Λ ≤ t then Λ ← t + 1 − Λ. m ← t. P 0(X) ← T (X). d0 ← d. end if end if end for return Λ and P

The LFSR of minimal length that generates a sequence sn of length n is unique if and only if n ≥ 2Λ(sn), where Λ(sn) is the linear complexity of sn. Obviously, the linear complexity Λ(s) of a semi-infinite linear recurring sequence s = (st)t≥0 is equal to the linear complexity of the finite sequence composed of the first n terms of s for any n ≥ Λ(s). Thus, the Berlekamp-Massey algorithm determines the shortest LFSR that generates an infinite linear recurring sequence s from the knowledge of any 2Λ(s) consecutive digits of s.

Example 3.5. Table 3.2 describes the successive steps of the Berlekamp-Massey algorithm applied to the binary sequence of length 7, s0 . . . s6 = 0111100. The values of Λ and P

0 t st d Λ P (X) m P (X) 0 1 −1 1 0 0 0 0 1 −1 1 1 1 1 2 1 + X2 1 1 2 1 1 2 1 + X + X2 1 1 3 1 1 2 1 + X 1 1 4 1 0 2 1 + X 1 1 5 0 1 4 1 + X + X4 5 1 + X 6 0 0 4 1 + X + X4 5 1 + X

Table 3.2: Successive steps of the Berlekamp-Massey algorithm applied to the binary sequence of length 7, s0 . . . s6 = 0111100. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 53 obtained at the end of step t correspond to the linear complexity of the sequence s0 . . . st and to the feedback polynomial of an LFSR of minimal length that generates it.

3.3 Classical constructions of LFSR-based generators

It is clear that an LFSR should never be used by itself as a keystream generator. If the feedback coefficients are publicly known (which is usually the case when the LFSR is implemented in hardware), the entire keystream can obviously be recovered from the knowledge of any Λ consecutive bits of the keystream, where Λ is the linear complexity of the running-key (which does not exceed the LFSR length). If the feedback coefficients are kept secret, the entire keystream can be recovered from any 2Λ consecutive bits of the keystream by the Berlekamp- Massey algorithm. However, LFSRs are extremely fast and low-cost devices and they generate sequences with good statistical properties, in particular with a high period. Therefore, they are often used as building-blocks in dedicated keystream generators, but within a more complex system. In par- ticular, three classical constructions based on LFSR aim at increasing the linear complexity of the generated sequence at a low implementation cost. These three methods have received a lot of attention and have been widely used within stream ciphers. They include the combination generator, the filter generator and the generators based on LFSR with irregular clocking.

3.3.1 Combination generators A combination generator is a keystream generator composed of several LFSRs whose outputs are combined by a Boolean function to produce the keystream. Then, the output sequence (st)t≥0 of a combination generator composed of n LFSRs is given by 1 2 n st = f(ut , ut , . . . , ut ), ∀t ≥ 0 , i where (ut)t≥0 denotes the sequence generated by the i-th constituent LFSR and f is a function of n variables. In the case of a combination generator composed of n LFSR over Fq, the n combining function is a function from Fq into Fq.

u1 e - t - e e ? ? e u2 - t - e e ? ? ? f ee - s % t . % . % % un - t - % % ? ? ? %%

Figure 3.6: Combination generator.

The combining function f should obviously be balanced, i.e., its output should be uniformly distributed. The constituent LFSRs should be chosen to have primitive feedback polynomials 54 Chapter 3. LFSR-based Stream Ciphers for ensuring good statistical properties of their output sequences. The characteristics of the constituent LFSRs and the combining function are usually publicly known. The secret param- eters are the initial states of the LFSRs, which are derived from the secret key of the cipher by a key-loading algorithm. When the feedback polynomials of the LFSR and the combining function are not known, the reconstruction attack presented in [CF01] enables to recover the complete description of the generator from the knowledge of a large segment of the ciphertext sequence. Example 3.6. Geffe generator [Gef73] The generator proposed by Geffe [Gef73] is com- posed of three LFSRs of distinct lengths combined by the function

f(x1, x2, x3) = x1x2 + x2x3 + x3 .

It is worth noticing that this function corresponds to an IF: if x2 = 0, then f(x1, x2, x3) = x3 and if x2 = 1, f(x1, x2, x3) = x1.

LFSR 1 1 ? ...... -...... e. - s LFSR 2 ... t ...... e 0 6 LFSR 3 e

Figure 3.7: Geffe generator.

Linear complexity of the output sequence. The sequence produced by a combination generator is a linear recurring sequence. Its period and its linear complexity can be derived from those of the sequences generated by the constituent LFSRs and from the ANF of the combining function. Indeed, if we consider two linear recurring sequences u and v over Fq with linear complexities Λ(u) and Λ(v), we have the following properties:

• the linear complexity of the sequence u + v = (ut + vt)t≥0 satisfies

Λ(u + v) ≤ Λ(u) + Λ(v) ,

with equality if and only if the minimal polynomials of u and v are relatively prime. Moreover, in case of equality, the period of u + v is the least common multiple of the periods of u and v.

• the linear complexity of the sequence uv = (utvt)t≥0 satisfies

Λ(uv) ≤ Λ(u)Λ(v) ,

where equality holds if the minimal polynomials of u and v are primitive and if Λ(u) and Λ(v) are distinct and greater than 2. Other general sufficient conditions for Λ(uv) = Λ(u)Λ(v) can be found in [Her86, RS87, GN95]. These results lead to the following general proposition. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 55

Proposition 3.7. [RS87] Let us consider the combination generator composed of n binary LFSRs with primitive feedback polynomials which are combined by a Boolean function f. If all LFSR lengths L1,...,Ln are distinct and greater than 2 (and if the LFSR initializations differ from the all-zero state), the linear complexity of the output sequence s is equal to

f(L1,L2,...,Ln)

where the algebraic normal form of f is evaluated over integers.

For instance, if four LFSRs of lengths L1,...,L4 satisfying the previous conditions are combined by the Boolean function x1x2 + x2x3 + x4, the linear complexity of the resulting sequence is L1L2 + L2L3 + L4. Similar results concerning the combination of LFSRs over Fq can be found in [Bry86, GN95]. For instance, the linear complexity of the sequence produced by the Geffe generator is L1L2 + L2L3 + L3 where L1, L2 and L3 denote the lengths of the constituent LFSRs. A high linear complexity is obviously desirable for a keystream sequence since it ensures that Berlekamp-Massey algorithm becomes computationally infeasible. Thus, the combining function f should have a high algebraic degree. A detailed analysis of the security of the combination generator, especially its resistance to correlation attacks, is provided in Section 3.5.

3.3.2 Filter generator A filter generator is a keystream generator composed of a single LFSR whose content is filtered by a nonlinear function. More precisely, the output sequence of a filter generator corresponds to the output of a nonlinear function whose inputs are taken from some stages of the LFSR. If (ut)t≥0 denotes the sequence generated by the LFSR, the output sequence (st)t≥0 of the filter generator is given by

st = f(ut+γ1 , ut+γ2 , . . . , ut+γn ), ∀t ≥ 0

where f is a function of n variables, n is less than or equal to the LFSR length and (γi)1≤i≤n is a decreasing sequence of non-negative integers called the tapping sequence.

st 6 ¨H ¨¨ HH ¨ H ¨¨ HH ¨ f H ¨¨ HH ¨¨ HH 6 6 6 6 6 6

-u u u ... u - t+γ1 t+γ2 t+γ3 t+γn ut

Figure 3.8: Filter generator. 56 Chapter 3. LFSR-based Stream Ciphers

In order to obtain a keystream sequence having good statistical properties, the filtering function f should be balanced, and the feedback polynomial of the LFSR should be chosen to be a primitive polynomial. In a filter generator, the LFSR feedback polynomial, the filtering function and the tapping sequence are usually publicly known. The secret parameter is the initial state of the LFSR which is derived from the secret key of the cipher. The attack presented in [Sie85] enables to construct an equivalent keystream generator from the knowledge of a large segment of the ciphertext sequence when the LFSR feedback polynomial is the only known parameter (i.e., when the filtering function, the tapping sequence and the initial state are kept secret). Any filter generator is equivalent to a particular combination generator, in the sense that both generators produce the same output sequence: an equivalent combination generator consists of n copies of the LFSR used in the filter generator with shifted initial states; the combining function corresponds to the filtering function.

Linear complexity of the output sequence. The output sequence s of a filter generator is a linear recurring sequence. Its linear complexity, Λ(s), is related to the LFSR length and to the algebraic degree of the filtering function f. For a binary LFSR with a primitive feedback polynomial, we have d X L Λ(s) ≤ i i=0 where L denotes the LFSR length and d denotes the algebraic degree of f [Key76, Mas01]. L L
The period of s divides 2 − 1. Moreover, if L is a large prime, Λ(s) is at least d for most filtering functions with algebraic degree d [Rue86]. To achieve a high linear complexity, the LFSR length L and the algebraic degree of the filtering function should be large enough. More precisely, the keystream length available to an attacker should always be much smaller than L
deg(f) . It is worth noticing that the lower bound on the linear complexity does not hold for all functions. For instance, some examples of filter generators with an LFSR of size L and a filtering function of high degree, but with linear complexity L only can be exhibited [RC10].

3.3.3 LFSRs with irregular clocking

Another technique for increasing the linear complexity of the produced keystream consists in considering one or several LFSRs, but some LFSR bits decide which LFSR to clock and how often. The most prominent example is the shrinking generator proposed in 1993 by Coppersmith, Krawczyk and Mansour [CKM94]. It is composed of two LFSRs, and the output of the second LFSR controls the clock of the first one. More precisely, if the second LFSR outputs 0, the output bit of the first one is discarded. This generator is depicted on Figure 3.9. Then, it can be proved that the linear complexity of the produced sequence is at least LB −2 LA2 where LA and LB denote the linear complexities of the two constituent registers. The self- shrinking generator [MS95] and the alternating-step generator [Gün88] are two other examples of clock-controlled generators. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 57

Figure 3.9: The shrinking generator.

- - st TT b T

6 f

3.4 Some widely-used LFSR-based generators

3.4.1 A5/1 A5/1 is the stream cipher used for encrypting over-the-air transmissions in the GSM standard. A5/1 is used in most European countries, whereas a weaker cipher, called A5/2, is used in other countries (a description of A5/2 and an attack can be found in [PFS00]). The description of A5/1 was first kept secret but its design has been reverse-engineered in 1999 by Briceno, Golberg and Wagner [BGW99]. A5/1 has a 64-bit secret key. A GSM conversation is transmitted as a sequence of 228-bit frames (114 bits in each direction) every 4.6 millisecond. Each frame is xored with a 228-bit sequence produced by the A5/1 running-key generator. The initial state of this generator depends on the 64-bit secret key, K, which is fixed during the conversation, and on a 22-bit public frame number, F .

Description of the running-key generator. The A5/1 running-key generator is com- posed of 3 LFSRs of lengths 19, 22 and 23. Their characteristic polynomials are X19 + X5 + X2 +X +1, X22 +X +1 and X23 +X15 +X2 +X +1. The internal state of the generator then consists of 64 bits only, which makes it vulnerable to Time-Memory-Data-Trade-off attacks. For each frame transmission, the 3 LFSRs are first initialized to zero. Then, at time t = 1,..., 64, the LFSRs are clocked, and the key bit Kt is xored to the feedback bit of each LFSR. For t = 65,..., 86, the LFSRs are clocked in the same fashion, but the (t − 64)-th bit of the frame number is now xored to the feedback bits. This initialization phase is depicted on Figure 3.10.

+ - - >6  e ? ??  + + +   e e e F22 ...F1K64 ...K1 -+ - - 6 ? C e + C e CCW + - - 6 ? ?? e + ++ e e e Figure 3.10: Initialization of the A5/1 running-key generator.

After these 86 cycles, the generator runs as depicted on Figure 3.11. Each LFSR has a 58 Chapter 3. LFSR-based Stream Ciphers clocking tap: tap 8 for the first LFSR, tap 10 for the second and the third ones (where the feedback tap corresponds to tap 0). At each unit of time, the majority value b of the 3 clocking bits is computed. A LFSR is clocked if and only if its clocking bit is equal to b. For instance, if the 3 clocking bits are equal to (1, 0, 0), the majority value is 0. The second and third LFSRs are clocked, but not the first one. The output of the generator is then given by the xor of the outputs of the 3 LFSRs. After the 86 initialization cycles, 328 bits are generated with the previously described irregular clocking. The first 100 ones are discarded and the following 228 bits form the running-key.

- ? ? ? C + ++ C ? C ¨ e e e ¨ CCW §b ¤ - - + -running-key ? + ££ k 6 £ ¦ ¥ e £ - £ ? ? ? + ++ e e e Figure 3.11: A5/1 running-key generator.

Attacks on A5/1. Several time-memory trade-off attacks have been proposed on A5/1 exploiting the small size of the secret key or of the internal state [BD00, BSW00]. They require the knowledge of a few seconds of conversation plaintext and run very fast. Even if they need a huge precomputation time and memory, an optimized version has been implemented in 2008: the group The Hacker’s Choice has precomputed the huge look-up tables involved in the time-memory-trade-off attack. These tables have also been computed and then released in December 2009 by the A5/1 cracking project [NP09], and an improved implementation has been described in [KPPM12]. Another attack due to Ekdahl and Johansson [EJ03] exploits some weaknesses of the key initialization procedure. It has been later improved by Maximov, Johansson and Bab- bage [MJB04] and then by Barkan and Biham [BB06]. It requires a few minutes using 5-10 seconds of conversation plaintext without any notable precomputation and storage capacity. Most of these attacks can also be turned into ciphertext-only attacks in the context of GSM communications by exploiting the fact that error-correction is performed before encryption in the GSM transmissions [BBK08].

3.4.2 E0 E0 is the stream cipher used for ensuring the confidentiality of communications in the Blue- tooth protocol for wireless short-range connectivity [Blu]. The keysize in E0 is 128 bits. More precisely, the number of key bytes, between 1 and 16 is negotiated between the two modules in the protocol, but the key is always extended to a 128-bit word by adding some redundancy when the effective number of key bits is less than Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 59

128. The IV has 64 bits which correspond to the 48-bit Bluetooth address, and a 26-bit master counter. In the Bluetooth protocol, data are transmitted as frames of at most 2745 bits. Each frame is then encrypted by xoring the first output bits of the keystream generator. The generator is initialized with a secret key, which remains the same during the whole session, and an IV which is modified for each new frame.

Description of the running-key generator. E0 is a combination generator composed of four LFSRs, combined by a Boolean function with a four-bit internal memory. This generator can be seen as a variant of the summation generator [Rue86]. This generator is used at two different levels: it is first applied during the initialization phase for generating a 128-bit initial state from the secret key and the IV. Then, the same mechanism is used to produce the keystream from the initial state. The four LFSRs are binary LFSRs of respective lengths L1 = 25, L2 = 31, L3 = 33, L4 = 39 (i.e., a total of 128 bits) with feedback polynomials 25 20 12 8 P1(x) = x + x + x + x + 1 31 24 16 12 P2(x) = x + x + x + x + 1 33 28 24 4 P3(x) = x + x + x + x + 1 39 36 28 4 P4(x) = x + x + x + x + 1 . i Let xt denote the output at time t of the i-th LFSR. Then, the 3-bit integer (between 0 and 4) corresponding to the sum of the outputs of the four LFSRs is computed: 1 2 3 4 2 1 0 yt = xt + xt + xt + xt = 4yt + 2yt + yt 2 1 0 where yt , yt , yt are binary values. The generator also includes some internal memory composed 1 0 of two 2-bit words, denoted by ct and ct−1 at time t. If 2ct + ct = ct denotes the binary decomposition of ct, then this 2-bit word is updated by 1 1 1 0 ct+1 = zt+1 + ct + ct−1 mod 2 0 0 0 1 0 ct+1 = zt+1 + ct + ct−1 + ct−1 mod 2 1 0 where zt , zt is the binary decomposition of the integer jy + c k z = t−1 t−1 . t 2 This combination generator with memory is directly used for producing the keystream: the keystream at time t is equal to 0 0 st = yt + ct mod 2 . The generator is initialized by the means of an additional level of the previously described system. The four LFSRs are first initialized with the 128-bit value

G1(Kc) XOR G2(IV ) where G1 and G2 are two affine transformations with a 128-bit output. The two memory words are set to zero. Then, the generator is clocked 200 times, and another affine transformation G3 is applied to the last 128 bits produced by the generator. The result of this operation then is then used as an initial state for the second-level generator, i.e., for the generator which outputs the keystream. The internal memory of this second-level generator is given by the memory of the first-level generator after the first 200 clocks. 60 Chapter 3. LFSR-based Stream Ciphers

Figure 3.12: E0 keystream generator.

st

x1 t 0 ct 2 c0 xt 0 t−1 yt 1 ct−1 3 xt 0 2 ct yt 1 4 ct xt

Figure 3.13: Initialization of E0 keystream generator.

first level second level

K G1 LFSRs G3 LFSRs keystream

IV G2 FSM FSM

Attacks on E0. The combination used in E0 is vulnerable to several attacks, including a linear attack [GBM02], some algebraic and fast algebraic attacks [Arm02, Cou03, HR04], and some fast correlation attacks [LV04b]. But all these attacks require the knowledge of a huge number of consecutive keystream bits generated from the same internal state, which is not the case in the Bluetooth protocol since the generator is resynchronized after 2745 bits. Nevertheless, some sophisticated correlation attacks due to Yi Lu, Willi Meier and Serge Vaudenay [LV04a, LMV05] take the resynchronization process into account. The most efficient attack recovers the secret key from the knowledge of the first 24 bits of 223.8 keystream frames. Its time complexity corresponds to 238 operations. A better trade-off between the on-line computation and the precomputation has been obtained in [ZXF13]. All these results imply that the security level of the E0 stream cipher is very limited.

3.5 Correlation attacks on LFSR-based generators

The correlation attack was originally proposed by Siegenthaler in 1985 [Sie85] against the combination generator composed of n LFSRs of lengths L1,...,Ln. The correlation attack is a divide-and-conquer technique: it aims at recovering the initial state of each constituent Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 61

LFSRs separately from the knowledge of some keystream bits (in a known plaintext attack). Pn Li
Qn Li
This attack requires i=1 2 − 1 trials only, instead of the i=1 2 − 1 tests required by an exhaustive search. A similar ciphertext only attack can also be mounted when there exists redundancy in the plaintext, as mentioned in [Sie85].

3.5.1 General principle More generally, the correlation attack applies to any keystream generator as soon as the keystream is correlated to the output sequence σ of a “reduced generator” whose initial state depends on some key bits only. These key bits can be determined by recovering the initial- ization of σ as follows: an exhaustive search for the initialization of σ is performed, and the correct one is detected by computing the correlation between the corresponding sequence σ and the keystream. The following description concentrates on binary sequences. More precisely, we assume as on Figure 3.14 that the internal state of the generator at time t can be divided into two parts, xt and yt of respective sizes ` and (n − `), which are updated independently by two functions Φ0 and Φ1. Suppose wlog. that the attacker aims at recovering the first part of the initial state, x0. The input vector of the filtering function can be decomposed into two parts, x and y according to the previous decomposition. Then, the attack can be mounted if there exists a function g depending on ` variables (i.e., depending on x only) whose output coincides with the output of f for more than half of the inputs. In other words, if there exists an `-variable function g such that

1 p = Pr [f(X,Y ) = g(X)] > . g X,Y 2 The existence of such a function g and its optimal choice is discussed in Section 3.5.5. If pg > 1/2, then the sequence σ(x0) produced by the reduced generator with initial state x0 and filtering function g is correlated to the keystream s. Indeed, for all t ≥ 0, 1 Pr[s = σ ] = p > . t t g 2

3.5.2 Correlation attacks as a decoding problem It has been observed by Meier and Staffelbach [MS89] that the previously described situation corresponds to a classical problem in the context of error-correction. Indeed, if there exists a correlation between the keystream s and the output σ of the reduced generator, then the keystream subsequence (st)t

C(p) = 1 + p log2 p + (1 − p) log2(1 − p) . 62 Chapter 3. LFSR-based Stream Ciphers

- Φ § 1 ¤ - Φ0 § ¤ ¦ ¥ ? ? yt ¦ ¥ yt+1 ... xt xt+1 ... @ @ @ @ ? ? J J J f J f J J J J

st st+1 ? ? σt- σt+1- ll

¡ gA ¡ g A ¡ A ¡ A 6 6

... x - - x ... t §Φ0 ¤ t+1

¦ ¥ Figure 3.14: Model for the correlation attack.

binary symmetric channel

? § ¤ ZZ 1−p - Z 0 - 0 Z @  s (keystream) - σ @p x - - Φ0 0 - g @ p @ -  @R-  1 1  1−p

¦ ¥ Figure 3.15: Correlation attacks on LFSR-based stream ciphers seen as a decoding problem.

In most situations, pg is close to 1/2, i.e., pg = 1/2(1 + ε) with ε  1. Then, we get the following approximation

1  1  1 − ε 1 + ε C (1 − ε) = 1 − (1 − ε) ln + (1 + ε) ln 2 2 ln 2 2 2 1 ' 1 − [(1 − ε)(−ε) + (1 + ε)ε − 2 ln(2)] 2 ln 2 ε2 ε2 = 1 + − 1 = . 2 ln 2 ln 2 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 63

The transmission rate of the code is equal to `/N where ` is the size of the targeted part of the initial state x0 and N is the number of known keystream bits. Then, we deduce from Shannon’s theorem that the attack requires the knowledge of

` ln 2 N ≥ keystream bits. (3.1) ε2

Generator matrix for an LFSR-code. In the particular case where the internal state xt of the reduced generator is updated by an LFSR of length `, the generator matrix of the underlying code C can be easily computed from the characteristic polynomial of the LFSR.

Proposition 3.8. Let (σt)t≥0 be a sequence produced by an LFSR of length ` with character- istic polynomial P ?. Then, for any N ≥ `, the ` × N matrix G such that

(σ0, . . . , σN−1) = (σ0, . . . , σ`−1)G

is the matrix whose t-th column, 0 ≤ t < N corresponds to the coefficients of the polynomial Xt mod P ?(X).

Proof. Let x0 denote the initial state of the reduced generator producing (σt)t≥0. From Propo- sition 3.4, we know that, for any t ≥ 0,

`−1 !! t t X σt = Tr(α x0) = Tr α σiβi . i=0

? `−1 t where α is a root of P and {β0, . . . , β`−1} is the dual basis of {1, α, . . . , α }. Let X mod ? P`−1 j t P`−1 j P (X) = j=0 djX . Then, by definition of α, we have that α = j=0 djα . It follows that

`−1  `−1 ! X j X σt = Tr  djα  σiβi  j=0 i=0 `−1 `−1 X X j = djσiTr(α βi) j=0 i=0 `−1 X = diσi i=0 by definition of the dual basis. This equivalently means that the t-th column of G corresponds to the vector (d0, . . . , d`−1). 

3.5.3 Maximum-likelihood decoding for correlation attacks

The original correlation attack presented by Siegenthaler [Sie85] recovers the initial state x0 by performing a statistical test on the correlation between the observed keystream s and the output of the reduced generator σ(x0) for all possible values of x0. This exactly corresponds to a maximum-likelihood decoding procedure. Here, we describe the attack in terms of statistical test as in the original paper. 64 Chapter 3. LFSR-based Stream Ciphers

Proposition 3.9. Let (st)t≥0 and (σ)t≥0 be two sequences such that Pr[st 6= σt] = p for all t ≥ 0. Then, the correlation between these two sequences computed over N bits,

N−1 1 X C = (−1)st+σt N t=0

is a random variable which follows a Gaussian distribution with mean (1 − 2p) and variance 4p(1 − p)/N.

Proof. We write N−1 N−1 1 X 2 X C = (1 − 2(s ⊕ σ )) = 1 − (s ⊕ σ ) . N t t N t t t=0 t=0

The N variables (st ⊕ σt)0≤t

In particular, the previous proposition implies that, if the two sequences are uncorrelated, i.e., if p = 1/2, then C follows a normal distribution with mean 0 and variance 1/N. If the two sequences (σt)t≥0 and (st)t≥0 are correlated, then all possible values for the initial state x0 of σ are examined. The correct value for x0 can be detected by a classical hypothesis testing (see Section 2.3.3 in Chapter 2). The corresponding algorithm is described in Algorithm 8. The value of the correlation is compared to some threshold T , whose value is

Algorithm 8 Original correlation attack. Input. s0s1 . . . sN−1, N keystream bits and p = Pr[st 6= σt] < 1/2. Output. σ0 . . . σ`−1, the initial state of σ. Compute the threshold T with (3.2) for all σ0, . . . , σ`−1 do Generate the first N bits of the sequence σ. Compute the correlation between s0s1 . . . sN−1 and σ0σ1 . . . σN−1:

N−1 1 X C ← (−1)st+ut mod 2 N t=0 if C > T then return σ0 . . . σ`−1 end if end for chosen as follows in order to minimize the error probability. If the initial state of σ is correct Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 65

(Hypothesis H1), then C follows a normal distribution with mean (1 − 2p) and variance 4p(1 − p)/N. This means that

1  (x − (1 − 2p))2  Pr[C = x] = √ exp − σ 2π 2σ2

2 with σ = 4p(1 − p)/N. Otherwise (Hypothesis H0), we have r N  Nx2  Pr[C = x] = exp − . 2π 2

For instance, these two distributions for N = 50 and p = 1/4 are plot on Figure 3.16.

Figure 3.16: Distributions of the correlation for N = 50 and p = 1/4. The red curve cor- responds to Hypothesis H0 (no correlation), while the blue curve corresponds to H1 (correct initial state).

Then, the false-alarm probability is r N Z +∞  Nx2  1 Z +∞  y2  Pf = exp − dx = √ √ exp − dy 2π T 2 2π T N 2 √ 1 Z T N  y2  √ = 1 − √ exp − dy = 1 − Φ(T N) 2π −∞ 2 where Φ(x) is the cumulative distribution function of the standard normal distribution, i.e.,

1 Z x  y2  Φ(x) = √ exp − dy . 2π −∞ 2

It is worth noticing that Φ can also be expressed by the means of the Gauss error function

1   x  Φ(x) = 1 + erf √ . 2 2 66 Chapter 3. LFSR-based Stream Ciphers

Similarly, the non-detection probability is given by

1 Z T  (x − (1 − 2p))2  √ Pn = exp − 2 dx σ 2π −∞ 2σ T −(1−2p) 2 1 Z σ  y  T − (1 − 2p) = √ exp − dy = Φ . 2π −∞ 2 σ

We deduce that, for obtaining a given value of Pn, we need to choose the threshold such that

T − (1 − 2p) = Φ−1(P ) σ n or equivalently r p(1 − p) T = (1 − 2p) + 2Φ−1(P ) . (3.2) n N Moreover, we have √ −1 T N = Φ (1 − Pf ) implying that √ Φ−1(1 − P ) − 2Φ−1(P )pp(1 − p) N = f n . 1 − 2p

−3 −1 −` Typical suitable values√ for Pf and Pn are Pn = 1.3 × 10 , i.e., Φ (Pn) = −3 and Pf = 2 , −1 i.e., Φ (1 − Pf ) ' `. With these values, we get that

 `  1 N = O where p = (1 − ε) . ε2 2

It is worth noticing that we recover the data complexity deduced from Shannon’s theorem and the value of the capacity of the binary symmetric channel. The time complexity of Algorithm 8 is then `2`  Time = 2`N = O ε2

Maximum-Likelihood decoding with an FFT. The time complexity of the previous algorithm is prohibitive in most situations, except for very small values of `. However, it can be significantly reduced when the transition function Φ0 is linear (i.e., if the underlying code C is a linear code). Indeed, maximum-likelihood decoding consists in computing the distance between the N-bit received word (i.e., the keystream in our case) and the 2` codewords in C. When C is a linear code, this computation boils down to evaluating the Fourier transform of ` the ternary function F from F2 into {−1, 0, 1} defined by

 st F (gt) = (−1) for all 0 ≤ t < N F (x) = 0 for all x 6∈ {gt, 0 ≤ t < N} where gt is the t-th column of the generator matrix of C. Indeed, the correlation between the keystream and the sequence σ produced from a given initial state x0 corresponds to the Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 67

Fourier transform of F at point x0:

N−1 1 X C(s, σ(x )) = (−1)st+σt 0 N t=0 N−1 1 X = (−1)st+x0·gt N t=0

X x0·x = F (x)(−1) = Fb(x0) . ` x∈F2 Therefore, when the code length N (i.e., the data complexity of the attack) is large, the time complexity can be reduced to 2`` with a Fast Fourier Transform algorithm [CJM02, Lu06]. However, ML-decoding remains usually infeasible when the size of targeted part of the initial state, x0, is not very small, typically when ` ≥ 80. In this situation, the attack can only be mounted by using some decoding algorithms faster than ML-decoding. The counterpart is of course that such algorithms require a longer keystream segment than the optimal value corresponding to Shannon’s theorem (see Equation (3.1)). These variants of the original attack are usually named fast correlation attacks. They apply when the transition function of the reduced generator is linear.

3.5.4 Iterative decoding with based on low-density parity-checks The idea of using an iterative decoding procedure based on low-density parity check (LDPC) equations comes back to Meier and Staffelbach [MS89], even if the algorithm they originally proposed was less efficient than the classical decoding algorithm for LDPC introduced by Gallager [Gal62]. The general principle of this decoding procedure consists in searching for a large number of parity-check relations for C having a low weight w. By the means of these relations, C can be seen as an LDPC code, for which there exist efficient decoding algorithms.

Low-weight parity-check equations Low-weight parity-check equations, i.e., with a small number of terms, for the involved code C can be exploited in fast correlation, but also in many other cryptanalytic techniques as they usually provide an efficient distinguishing procedure. A parity-check equation for the code C corresponds to a set of columns in the generator matrix which sum to zero. Equivalently, it can be seen as a codeword of the dual code C⊥. If the transition function of the reduced generator corresponds to an LFSR, we deduce from the structure of the LFSR code, that its parity-check equations have the following form

σt + σt+τ1 + ... + σt+τw−1 = 0, for all t ≥ 0 and are satisfied for any sequence σ generated by the LFSR. We know from Proposition 3.8 that the t-th column of the generator matrix of the LFSR code corresponds to the coefficients of Xt mod P ?(X), where P ? is the characteristic polynomial of the LFSR. Therefore, there is a bijection between such a parity-check equations and the polynomials

1 + Xτ1 + ... + Xτw−1 which are multiples of the LFSR characteristic polynomial P ?. The weight of such an equation is the number of its terms, or equivalently the Hamming weight of the corresponding word in the dual code. 68 Chapter 3. LFSR-based Stream Ciphers

Degree of parity-check equations. The value τw−1 (i.e., the degree of the corresponding polynomial) is also called the degree of the parity-check equation. For estimating the com- plexity of the attack, we need to determine the number of parity-check equations with a given weight w and with a degree less than some value d, when d varies. Usually, we assume that, for a given w, when d is large enough, the values taken by the polynomials of weight w of τ τ τ ? the form (1 + X 1 + X 2 + ... + X w−1 ) mod P (X) for all 0 < τ1 < τ2 < . . . < τw−1 < d are uniformly distributed in the set of all polynomials modulo P ? Under this hypothesis, the number of parity-check equations of weight w and of degree at most d is roughly d
dw−1 m (d) = w−1 ' . (3.3) w 2deg P ? (w − 1)! 2deg P ? However, the previous hypothesis does not hold in all situations. It would imply for instance that, for any P ?, the number of codewords of weight exactly w in the dual of the LFSR code C⊥ of length N = 2deg P ? − 1 is always close to N w−1 . (3.4) w! But clearly, this number highly depends on the algebraic structure of the characteristic polynomial. When P ? is a primitive polynomial, the corresponding LFSR code of length N = 2deg P ? −1 is equivalent to the simplex code (i.e., to the shortened first-order Reed-Muller code) [MS77, Page 30]. Its dual is then equivalent to the Hamming code of length N. In this case it can be checked that Formula (3.4) provides a good approximation of the weight distribution [MS77, Page 129]. More generally, when P ? is a randomly chosen primitive poly- nomial, simulation results show that (3.3) is a good estimation of the number of parity-check relations of weight w and degree at most d, when d is not too small. It is worth noticing that this holds even if P ? itself has weight w. Similarly, the minimal degree for a polynomial of weight w multiple of P ? is close to

1 deg P ? (w − 1)! w−1 2 w−1 . The situation is much more complicated when P ? is the product of two primitive polynomials. Then, the previous estimation remains reasonable when the degrees of the polynomials involved in the product are coprime, but does not hold in general. For instance, it is possible to construct some examples where P ? is the product of two primitive polynomials having the same degree and such that P ? has no multiple of degree 3 (see e.g. [CTZ01]).

Computing low-degree parity-check equations. There are several algorithms of com- puting parity-check equations of weight w associated to a polynomial P . The simplest one is described in Algorithm 9. More sophisticated ones are mentioned in [Jou09, Pages 384-386] The corresponding time and memory complexity are Time = O(dw−v−1) and Memory = O(dv) . w−1 An interesting trade-off is then obtained for v = b 2 c, leading to d w−1 e b w−1 c Time = O(d 2 ) and Memory = O(d 2 ) . When w ≥ 5, an improved variant of this algorithm due to Chose, Joux and Mitton [CJM02] b w c allows to decrease the memory requirement to Memory = O(d 4 ) with the same time com- plexity. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 69

Algorithm 9 Algorithm for computing multiples of P of weight w and degree at most d. for each set (i1, . . . , iv) of v elements of {1, ··· , d} do q(X) ← Xi1 + ... + Xiv mod P (X) store q in a table T such that T [a] = {(i1, . . . , iv): q(X) = a}. end for for each set (j1, . . . , jw−v−1) of w − v − 1 elements of {1, ··· , d} do A ← 1 + Xj1 + ... + Xw−v−1 mod P (X) for all (i1, . . . , iv) ∈ T [A] do return 1 + Xi1 + ... + Xiv + Xj1 + ... + Xw−v−1 end for end for

Iterative decoding of LDPC. A detailed comparison between several iterative decoding algorithms can be found in [Lev04]. For instance, the slightly impaired but simple version of Gallager’s algorithm proposed in [CT00] consists in iteratively updating the log-likelihood ratio at each bit position, i.e., the quantity

Pr[σ = 0] log t . Pr[σt = 1]

It is described by Algorithm 10.

Algorithm 10 Iterative decoding algorithm for fast correlation attacks. Input: s0s1 . . . sN−1, N keystream bits and p = Pr[st 6= σt] < 1/2. /* Initialization */ for all t from 0 to N − 1 do 1−p L[t] ← log( p ) end for repeat for all t from 0 to N − 1 do L0[t] ← (−1)st L[t] P for all parity-check equations involving Position t, σt = j∈J σj do

P s L0[t] ← L0[t] + (−1) j∈J j min(L[j]) j∈J end for end for until convergence for all t from 0 to N − 1 do if L0[t] < 0 then σt ← 0 else σt ← 1 end if end for return (σ)t≥0 70 Chapter 3. LFSR-based Stream Ciphers

The complexity of this algorithm highly depends on the number mw of parity-check equa- tions of weight w required for convergence. The simulation results presented in [CT00] show that the minimal number of equations can be estimated by 2 ln 2 m = , w ε2w−4 where ε = 1 − 2p and p is the error-probability. By combining this result with the expected number of parity-check equations of weight w and degree at most N given by (3.3), we deduce that the required data complexity is

2(w−2) 1 w−1 ` N = 2 w−1 ε and the corresponding time complexity

2w(w−2) 1 w−1 ` Time = 2 w−1 . ε

3.5.5 Existence of an approximation with fewer variables As explained in Section 3.5.1, a (fast) correlation attack can be mounted only when the Boolean function f of n variables involved in the keystream generator can be approximated by a function g depending on fewer variables. Typically, in a combination generator composed of n LFSRs, if the combining function f can be approximated by a function g of ` < n variables, then the attack involves the initial states of only ` out of the n constituent LFSRs.

Correlation-immunity order. A natural counter-measure to avoid correlation attacks con- sists then in using as building-blocks a correlation-immune function in the sense of the following definition. Definition 3.10 (Correlation-immunity [Sie84]). A Boolean function f is t-th order correlation- immune if the probability distribution of its output is unaltered when any t input variables are fixed. Balanced t-th order correlation-immune functions are called t-resilient. Note that a t-th order correlation-immune function is k-th order correlation-immune for any k ≤ t. The correlation-immunity order of a function f then refers to the highest integer t such that f is t-th order correlation-immune. In a combination generator, the correlation-immunity order t of the combining function determines the minimal number of LFSRs which must be considered together in a correlation attack. Indeed, the keystream produced by the combination generator is then independent of any set of t constituent LFSRs. The smallest number of LFSRs involved in a correlation attack is therefore t + 1. But the correlation-immunity order of a Boolean function cannot be chosen as high as we wish: it is limited by the algebraic degree of the function as shown in the next proposition. Proposition 3.11. [Sie84] Let f be a Boolean function of n variables. Then its correlation- immunity order t satisfies t + deg f ≤ n . Moreover, if f is balanced and t < n − 1, then t + deg f ≤ n − 1 . Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 71

n Proof. Let u ∈ F2 such that wt(u) ≥ n − t. We compute the coefficients of the ANF of f with Theorem 1.3. For L = {1, . . . , n}\ Supp(u), we have

X −(n−wt(u)) au = f(x1, . . . , xn) mod 2 = 2 wt(f) mod 2

xi=0,i∈L where the last equality comes from the fact that the probability distribution of the output of f is unchanger when the (n − wt(u)) ≤ t variables defined by L are set to 0. If f is balanced, i.e., wt(f) = 2n−1, we get that, for all u with wt(u) ≥ n − t,

wt(u)−1 au = 2 mod 2 = 0

since wt(u) − 1 ≥ n − t − 1 > 0. In other words, all coefficients of degree greater than or equal to (n − t) in the ANF of f are equal to zero, which means than deg f < n − t. If f is not balanced, we select some word u? of weight (n − t). Then,

−t au? = 2 wt(f) mod 2

t t+1 implying that wt(f) = 2 au? + Λ2 for some integer Λ. Now, for any u of weight (n − t + w) with w ≥ 1, we get

−t+w w w+1 au = 2 wt(f) = 2 au? + Λ2 = 0 mod 2 .

This means that all coefficients in the ANF of degree greater than or equal to (n − t + 1) vanish, i.e. deg f ≤ n − t. 

Approximation of a function by a function of (t + 1) variables. Since the combining function in a combination generator is balanced and nonlinear, its correlation-immunity order is at most (n − 3). It follows that we can always apply a correlation attack by considering at most ` = (n − 2) LFSRs together. We now show how to determine the best approximation of f by a Boolean function g depending on a fixed subset of ` variables.

Proposition 3.12. [Can02, Zha00] Let f be a function of n variables and let L be a subset of {1, . . . , n} of cardinality `, L = {i1, . . . , i`}. The highest possible value over all `-variable functions g of

pg = PrX [f(X1,...,Xn) = g(Xi1 ,...,Xi` )] is achieved if and only if

 1 g(x) = 1 if PrY [f(X,Y ) = 1|X = x] > 2 1 g(x) = 0 if PrY [f(X,Y ) = 1|X = x] < 2

It follows that the maximum of pg is

1 1 X 1 max pg = + − PrY [f(X,Y ) = 1|X = x] . g 2 2` 2 ` x∈F2

Proof. Let us decompose the n input variables of f as (X,Y ) where X corresponds to the ` ` variables of index i1, . . . , i`, and Y to the (n − `) remaining variables. Let pL(x), x ∈ F2, denote the probability pL(x) = PrY [f(X,Y ) = 1|X = x]. In other words, pL(x) is the 72 Chapter 3. LFSR-based Stream Ciphers probability that f outputs 1 when the ` inputs in positions L are fixed and equal to x. For any `-variable g we have

pg = PrX,Y [f(X,Y ) = g(X)]   −` X X = 2  Pr[f(X,Y ) = 0|X = x] + Pr[f(X,Y ) = 1|X = x] x∈g−1(0) x∈g−1(1) −` X −` X = 2 (1 − pL(x)) + 2 pL(x) x∈g−1(0) x∈g−1(1) −` −1 −` X g(x) = 2 |g (0)| − 2 (−1) pL(x) ` x∈F2 1 X X = + 2−`−1 (−1)g(x) − 2−` (−1)g(x)p (x) 2 L ` ` x∈F2 x∈F2 1 X 1  = + 2−` (−1)g(x) − p (x) . 2 2 L ` x∈F2

It follows that pg is maximal if and only if all terms in the sum are greater than or equal to zero, or equivalently  0 if p (x) < 1/2, g(x) = L (3.5) 1 if pL(x) > 1/2 . 1 Note that the value of g(x) can be arbitrarily chosen when pL(x) = 2 . The maximal value of pg directly follows. 

The previous proposition obviously implies that the maximal value of pg is 1/2 if ` is less than or equal to the correlation-immunity order of f since all PrY [f(X,Y ) = 1|X = x] = 1/2 in this case. Another consequence is that, for ` = t + 1 where t is the correlation-immunity order of f, the maximal value of pg is achieved by an affine function. Theorem 3.13. [CT00] Let f be a t-resilient function of n variables and let L be a subset of {1, . . . , n} of cardinality (t + 1), L = {i1, . . . , it+1}. The highest possible value over all (t + 1)-variable functions g of

pg = PrX [f(X1,...,Xn) = g(Xi1 ,...,Xit+1 )] is achieved by the affine function X g(xi1 , . . . , xit+1 ) = xi + ε i∈L with ε ∈ F2. Proof. We here use the same notation as in the proof of the previous proposition. For any j ∈ L, ej denotes the (t + 1)-bit vector whose all coordinates are zero except the j-th one. We t+1 first prove that, for any x ∈ F2 and any j ∈ L, pL(x) + pL(x + ej) = 1. Indeed, we have

pL(x) + pL(x + ej) = Pr[f(X,Y ) = 1|X = x] + Pr[f(X,Y ) = 1|X = x + ej]

= 2 (Pr[f(X,Y ) = 1|∀i ∈ L, Xi = xi]Pr[Xj = xj]+

Pr[f(X,Y ) = 1|∀i ∈ L \{j},Xi = xi,Xj 6= xj]Pr[Xj 6= xj])

= 2Pr[f(X,Y ) = 1|∀i ∈ L \{j},Xi = xi] = 1 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 73 where the last equality comes from the fact that f is t-resilient and that the set L \{j} has cardinality t. Let g be a (t + 1)-variable function such that pg is minimal. Since pL(x) + t+1 pL(x + ej) = 1 for any x ∈ F2 and for any j ∈ L, Condition (3.5) implies that

g(x) + g(x + ej) = 1

1 t+1 when pL(x) 6= 2 . Moreover, we can assume that this relation is satisfied for any x ∈ F2 , 1 because the value of g(x) can be arbitrarily chosen when pL(x) = 2 . It follows that, for any t+1 x ∈ F2 , X g(x) = g(0) + xi . i∈L g(0) P 1
This probability is then maximized when (−1) and PrX [f(X) = i∈L Xi] − 2 have the same sign. 

This result is of great interest because the degree of the approximation g affects the linear complexity of the reduced generator. Indeed, σ is produced by a smaller combining generator composed of ` = t + 1 (or more) LFSRs combined by g. Then, we know from Section 3.3.1 that the linear complexity of σ depends on the degree of g. The previous result then shows that, in a fast correlation attack involving the smallest number of LFSRs, i.e. (t+1), the same combining function g minimizes both the error probability (1 − pg) and the linear complexity of σ. In this context, since g has degree 1, the minimal polynomial of σ is the least common ? multiple of the minimal polynomials Pi of the considered LFSRs [Zie59]. In most practical situations, we have P ? = Qt+1 P ? since all the involved feedback polynomials are primitive. j=1 ij The N-bit keystream (st)t

Correlation-immunity order and dual distance of a code. The correlation-immunity order of a Boolean function f can be characterized by a combinatorial property of the code formed by the support of f, i.e., by f −1(1). This combinatorial property corresponds to the notion of orthogonal array [Rao47].

Proposition 3.14. [CCCS92] Let f be a Boolean function of n variables and let Cf be the code n corresponding to its support, i.e., Cf = {x ∈ F2 : f(x) = 1}. Then, f is t-th order correlation immune if and only if any set of t columns in Cf contains the same number of occurences of every t-tuple. Moreover, if Cf is a linear code, then f is t-th order correlation immune if and only the ⊥ minimum distance of Cf is strictly greater than t.

Proof. By definition Cf has cardinality wt(f). Let us consider any subset T ⊂ {1, . . . , n} of size t. Then, f is t-order correlation-immune if and only if, for any fixed value a of the input n variables at the positions defined by T , the set {f(x), x ∈ F2 and xi = ai∀i ∈ T } contains −t −t exactly 2 wt(f) ones. This equivalently means hat Cf contains exactly 2 wt(f) words which are equal to a at the positions defined by T . If Cf is a linear code and G denotes a k × n generator matrix of Cf , then the previous k−` condition means that, for any k × t submatrix GT of G, the linear system mGT = a has 2 74 Chapter 3. LFSR-based Stream Ciphers solutions for any a. This is equivalent to the fact that any k ×t submatrix GT of G has rank t, i.e., any set of t columns of G are linearly independent. Now, we show that this condition is ⊥ ⊥ equivalent to the fact that the minimum distance of Cf is greater than t. Indeed Cf contains a codeword x if and only if Gx = 0, i.e., the wt(x) columns of G corresponding to the support ⊥ ⊥ of x sum to zero. In other words, the minimum distance of Cf is greater than or equal to d if and only if any set of w < d⊥ columns of G are linearly independent. 

The previous proposition shows that correlation-immunity order of a linear function is determined by the minimum distance of the dual of the code corresponding to its support. A very nice property is that this result holds even if the underlying code is not linear. In this situation, the dual distance can be defined as follows.

Definition 3.15 (Dual distance of a code [Del73]). Let C be a binary code of length n and size M, and (A0,...,An) be its distance distribution, i.e., 1 A = |{(x, y) ∈ C × C, d(x, y) = i}| . i M

0 0 Let (A0,...,An) be the vector obtained by applying the MacWilliams transform:

n n X 1 X A0 Xn−iY i = A (X + Y )n−i(X − Y )i . i M i i=0 i=0

0 The dual distance of C is the smallest non-zero integer i such that Ai 6= 0. Obviously, when C is linear, its dual distance corresponds to the minimum distance of the dual code. Now, we will show that, even in the nonlinear case, the dual distance of Cf is related to the correlation-immunity of f. We will need the following lemma.

Lemma 3.16. Let C be a binary code of length n. Then any set of t columns in C contains the n same number of occurences of every t-tuple if and only if for any y ∈ F2 with 1 ≤ wt(y) ≤ t, X (−1)x·y = 0 . x∈C

n Proof. Let us first consider some T ⊂ {1, . . . , n} of size t and some nonzero y ∈ F2 such that t supp(y) ⊂ T . For any a ∈ F2, we denote by NT (a) the number of codewords in C which are equal to a at the positions defined by T . Then, we have

X x·y X a·yT (−1) = (−1) NT (a) . (3.6) x∈C ` a∈F2 where yT denotes the restriction of y to the positions in T . Now, we suppose that, for any T −t of size t, we have NT (a) = M2 for all a. We consider any nonzero y of weight at most t and we choose T of size t such that supp(y) ⊂ T . Then,   X M X (−1)x·y = (−1)a·yT = 0 , 2t   x∈C ` a∈F2 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 75 since yT 6= 0. Conversely, we consider any subset T ⊂ {1, . . . , n} of size t. We deduce from t (3.6) that, for any β ∈ F2 ! X β·yT X x·(yT ,0) X β·yT X a·yT (−1) (−1) = (−1) (−1) NT (a) t x∈C t t yT ∈F2 yT ∈F2 a∈F2  

X X (a+β)·yT t = NT (a)  (−1)  = 2 NT (β) , t t a∈F2 yT ∈F2

P (α+β)·yT P x·y
by using that t (−1) = 0 except for α + β = 0. Then, if all (−1) yT ∈F2 x∈C vanish when wt(y) ≤ t except for y = 0, we get that, for all β.

t X x·0 2 NT (β) = (−1) = M. x∈C Both properties are then equivalent. 

A direct corollary of the previous lemma is the following characterization of correlation- immune functions in terms of Walsh transform [XM88]. Corollary 3.17. Let f be a Boolean function of n variables. Then, f is t-th order correlation- immune if and only if for any y such that 1 ≤ wt(y) ≤ t, X (−1)f(x)+x·y = 0 . n x∈F2 Proof. This is derived from the previous lemma by using that for any y 6= 0 X X X X (−1)f(x)+x·y = (−1)x·y − (−1)x·y = −2 (−1)x·y . n −1 −1 −1 x∈F2 x∈f (0) x∈f (1) x∈f (1) 

Now, we can prove that the correlation-immunity order of a Boolean function is related to −1 the dual distance of Cf = f (1). Theorem 3.18 (Correlation-immunity order and dual distance [BGS94, SM95]). Let f be a Boolean function of n variables and let Cf be the code corresponding to its support, i.e., n Cf = {x ∈ F2 : f(x) = 1}. Then, f is t-th order correlation immune if and only if the dual distance of Cf is strictly greater than t.

Proof. By combining Proposition 3.14 and Lemma 3.16, we see that we need to show that Cf has dual distance d⊥ if and only if any nonzero y of weight at most (d⊥ − 1) satisfies X (−1)x·y = 0 .

x∈Cf The MacWilliams identity can be written by means of Krawtchouk polynomials

n 0 −k X Ai = 2 AjPi(j), ∀0 ≤ i ≤ n , j=0 76 Chapter 3. LFSR-based Stream Ciphers with k X in − i P (i) = (−1)j . k j k − j j=0 n We first prove a well-known property of Krawtchouk polynomials: for any x ∈ F2 with wt(x) = i, X x·y (−1) = Pj(i) . n y∈F2 ,wt(y)=j Let I denote the support of x. Since x · y corresponds to the size of the intersection between the supports of x and y, we get

j X x·y X |I∩J| X ` (−1) = (−1) = (−1) NI (`) n y∈F2 ,wt(y)=j J⊂{1,...,n},|J|=j `=0 where in − i N (`) = |{J ⊂ {1, . . . , n} avec |J| = j : |I ∩ J| = `}| = . I ` j − ` We deduce that j    X x·y X ` i n − i (−1) = (−1) = Pj(i) . n ` j − ` y∈F2 ,wt(y)=j `=0

n
Let us now consider some integer w, 1 ≤ w ≤ n. Let us define the matrix Mw of size M × w whose rows are indexed by the words of Cf and whose columns are indexed by the n-bit words of weight w by x·y (Mw)x,y = (−1) . 0 T Multiplying Mw by its transpose, we get that the coefficient of index (x, x ) of Mw(Mw) is

T
X (x+x0)·y 0 Mw(Mw) x,x0 = (−1) = Pw(d(x, x )) . n y∈F2 ,wt(y)=w Then, we deduce  2 T
T T X X x·y 1 MwMw 1 = (1Mw)(1Mw) =  (−1)  . n y∈F2 ,wt(y)=w x∈Cf Therefore,  2 X X x·y T
T  (−1)  = 1 MwMw 1 n y∈F2 ,wt(y)=w x∈Cf n X 0 X 2 0 = Pw(d(x, x )) = M AiPw(i) = M Aw . 0 x,x ∈Cf i=0

It follows that A0 = 0 if and only if P (−1)x·y = 0 for all y ∈ n with wt(y) = w.  w x∈Cf F2 Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 77

Bibliography

[Arm02] Frederik Armknecht. A linearization attack on the Bluetooth keystream generator. http://th.informatik.uni-mannheim.de/people/armknecht/E0.ps, 2002.

[BB06] Elad Barkan and Eli Biham. Conditional estimators: An effective attack on A5/1. In Selected Areas in Cryptography - SAC 2005, volume 3897 of Lecture Notes in Computer Science, pages 1–19. Springer, 2006.

[BBK08] Elad Barkan, Eli Biham, and Nathan Keller. Instant ciphertext-only cryptanalysis of GSM encrypted communication. Journal of Cryptology, 21(3):392–429, 2008.

[BD00] Eli Biham and Orr Dunkelman. Cryptanalysis of the A5/1 GSM stream cipher. In Progress in Cryptology - Indocrypt 2000, volume 1977 of Lecture Notes in Computer Science, pages 43–51. Springer-Verlag, 2000.

[Ber68] Elwyn R. Berlekamp. Algebraic Coding Theory. McGraw-Hill, 1968.

[BGS94] Jürgen Bierbrauer, K. Gopalakrishnan, and Douglas R. Stinson. Bounds for re- silient functions and orthogonal arrays. In Advances in Cryptology - CRYPTO’94, volume 839 of Lecture Notes in Computer Science, pages 247–256, 1994.

[BGW99] Marc Briceno, Ian Goldberg, and David Wagner. A pedagogical implementation of A5/1. http://jya.com/a51-pi.htm, 1999.

[Blu] Bluetooth specifications – version 1.0b. http://www.bluetooth.com.

[Bry86] Lennart Brynielsson. On the linear complexity of combined shift register sequences. In Advances in Cryptology - EUROCRYPT’85, volume 219 of Lecture Notes in Computer Science, pages 156–160. Springer, 1986.

[BSW00] Alex Biryukov, Adi Shamir, and David Wagner. Real time cryptanalysis of A5/1 on a PC. In Fast Software Encryption – FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 1–19. Springer-Verlag, 2000.

[Can02] Anne Canteaut. On the correlations between a combining function and functions of fewer variables. In IEEE Information Theory Workshop - ITW 2002, pages 78–81, Bangalore, Inde, October 2002. IEEE Press.

[CCCS92] Paul Camion, Claude Carlet, Pascale Charpin, and Nicolas Sendrier. On correlation-immune functions. In Advances in Cryptology - CRYPTO’91, volume 576 of Lecture Notes in Computer Science, pages 86–100. Springer-Verlag, 1992.

[CF01] Anne Canteaut and Eric Filiol. Ciphertext only reconstruction of stream ciphers based on combination generators. In Fast Software Encryption - FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 165–180. Springer-Verlag, 2001.

[CJM02] Philippe Chose, Antoine Joux, and Michel Mitton. Fast correlation attacks: an algorithmic point of view. In Advances in Cryptology - EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 209–221. Springer-Verlag, 2002. 78 Bibliography

[CKM94] Don Coppersmith, Hugo Krawczyk, and Yishay Mansour. The shrinking gener- ator. In Advances in Cryptology - CRYPTO’93, volume 773 of Lecture Notes in Computer Science. Springer-Verlag, 1994.

[Cou03] Nicolas Courtois. Fast algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 176–194. Springer-Verlag, 2003.

[CT00] Anne Canteaut and Mickaël Trabbia. Improved fast correlation attacks using parity-check equations of weight 4 and 5. In Advances in Cryptology - EURO- CRYPT’2000, volume 1807 of Lecture Notes in Computer Science, pages 573–588. Springer-Verlag, 2000.

[CTZ01] Pascale Charpin, Aimo Tietäväinen, and Victor Zinoviev. On binary cyclic codes with codewords of weight 3 and binary sequences with the trinomial property. IEEE Transactions on Information Theory, 47(1):421–425, 2001.

[Del73] P. Delsarte. Four fundamental parameters of a code and their combinatorial sig- nifiance. Information and Control, 23(5):407–438, décembre 1973.

[Dor87] Jean-Louis Dornstetter. On the equivalence between berlekamp’s and euclid’s algorithms. IEEE Transactions on Information Theory, 33(3):428–431, 1987.

[EJ03] Patrick Ekdahl and Thomas Johansson. Another attack on A5/1. IEEE Transac- tions on Information Theory, 49(1):284–289, 2003.

[Gal62] Robert G. Gallager. Low-density parity-check codes. IRE Transactions on Infor- mation Theory, IT-8:21–28, 1962.

[GBM02] Jovan Dj. Golic, Vittorio Bagini, and Guglielmo Morgari. Linear cryptanalysis of Bluetooth stream cipher. In Advances in Cryptology - EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 238–255. Springer-Verlag, 2002.

[Gef73] Philip R. Geffe. How to protect data with ciphers that are really hard to break. Electronics, pages 99–101, 1973.

[GN95] Rainer Göttfert and Harald Niederreiter. On the Minimal Polynomial of the Prod- uct of Linear Recurring Sequences. Finite Fields and Applications, 1(2):204–218, 1995.

[Gol82] Solomon W. Golomb. Shift register sequences. Aegean Park Press, 1982.

[Gün88] Christoph G. Günther. Alternating Step Generators Controlled by De Bruijn Sequences. In Advances in Cryptology - EUROCRYPT’87, volume 304 of Lecture Notes in Computer Science, pages 5–14. Springer, 1988.

[Hel11] Tor Helleseth. Maximal-length sequences. In Encyclopedia of Cryptography and Security, 2nd Ed., pages 763–766. Springer, 2011.

[Her86] Tore Herlestam. On functions of linear shift register sequences. In Advances in Cryptology - EUROCRYPT ’85, volume 219 of Lecture Notes in Computer Science, pages 119–129. Springer-Verlag, 1986. Error-Correcting Codes and Symmetric Cryptography - A. Canteaut 79

[HR04] Philip Hawkes and Gregory G. Rose. Rewriting variables: the complexity of fast al- gebraic attacks on stream ciphers. In Advances in Cryptology - CRYPTO 2004, vol- ume 3152 of Lecture Notes in Computer Science, pages 390–406. Springer-Verlag, 2004.

[Jou09] Antoine Joux. Algorithmic Cryptanalysis. Chapman & Hall/CRC, 2009.

[Key76] Edwin L. Key. An analysis of the structure and complexity of nonlinear binary sequence generators. IEEE Transactions on Information Theory, 22:732–736, 1976.

[KPPM12] Maria Kalendri, Dionisios Pnevmatikatos, Ioannis Papaefstathiou, and Charalam- pos Manifavas. Breaking the GSM A5/1 Cryptography Algorithm with Rainbow Tables and High-End FPGAs. In Field Programmable Logic and Applications - FPL 2012, pages 747–753. IEEE, Aug 2012.

[Lev04] Sabine Leveiller. Quelques algorithmes de cryptanalyse du registre filtré. PhD thesis, Ecole Nationale Supérieure des Télécommunications, Paris, 2004.

[LMV05] Yi Lu, Willi Meier, and Serge Vaudenay. The conditional correlation attack: A practical attack on Bluetooth Encryption. In Advances in Cryptology - CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 97–117. Springer- Verlag, 2005.

[Lu06] Yi Lu. Applied stream ciphers in mobile communications. PhD thesis, Ecole Polytechnique Fédérale de Lausanne, 2006.

[LV04a] Yi Lu and Serge Vaudenay. Cryptanalysis of Bluetooth keystream generator two- level E0. In Advances in Cryptology - ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 483–499. Springer-Verlag, 2004.

[LV04b] Yi Lu and Serge Vaudenay. Faster correlation attack on Bluetooth keystream generator E0. In Advances in Cryptology - CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 407–425. Springer-Verlag, 2004.

[Mas69] James L. Massey. Shift-register synthesis and BCH decoding. IEEE Transactions on Information Theory, 15:122–127, janvier 1969.

[Mas01] James L. Massey. The Ubiquity of Reed-Muller Codes. In Applied Algebra, Alge- braic Algorithms and Error-Correcting Codes - AAECC-14, volume 2227 of Lecture Notes in Computer Science, pages 1–12. Springer, 2001.

[MJB04] Alexander Maximov, Thomas Johansson, and Steve Babbage. An improved cor- relation attack on A5/1. In Selected Areas in Cryptography - SAC 2004, volume 3357 of Lecture Notes in Computer Science, pages 1–18. Springer-Verlag, 2004.

[MS77] F. Jessie MacWilliams and Neil J.A. Sloane. The theory of error-correcting codes. North-Holland, 1977.

[MS89] W. Meier and O. Staffelbach. Fast correlation attack on certain stream ciphers. Journal of Cryptology, pages 159–176, 1989. 80 Bibliography

[MS95] Willi Meier and Othmar Staffelbach. The self-shrinking generator. In Advances in Cryptology - EUROCRYPT’94, volume 950 of Lecture Notes in Computer Science, pages 205–214. Springer-Verlag, 1995.

[NP09] Karsten Nohl and Chris Paget. GSM: SRSLY? In 26th Chaos Communication Congress - 26C3, 2009.

[PFS00] Slobodan Petrović and Amparo Fúster-Sabater. Cryptanalysis of the A5/2 al- gorithm. Technical Report 2000/052, Cryptology ePrint Archive, 2000. http: //eprint.iacr.org/.

[Rao47] Calyampudi Radhakrishna Rao. Factorial experiments derivable from combinato- rial arrangements of arrays. J. Roy. Statist., 9:128–139, 1947.

[RC10] Sondre Rønjom and Carlos Cid. Nonlinear equivalence of stream ciphers. In Fast Software Encryption – FSE 2010, volume 6147 of Lecture Notes in Computer Science, pages 40–54. Springer, 2010.

[RS87] Rainer A. Rueppel and Othmar Staffelbach. Products of linear recurring sequences with maximum complexity. IEEE Transactions on Information Theory, 33(1):124– 131, 1987.

[Rue86] Rainer A. Rueppel. Analysis and Design of stream ciphers. Springer-Verlag, 1986.

[Sie84] Thomas Siegenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory, IT- 30(5):776–780, 1984.

[Sie85] Thomas Siegenthaler. Decrypting a class of stream ciphers using ciphertext only. IEEE Transactions on Information Theory, C-34(1):81–84, 1985.

[SM95] Douglas R. Stinson and James L. Massey. An infinite class of counterexamples to a conjecture concerning nonlinear resilient functions. Journal of Cryptology, 8(3):167–173, 1995.

[XM88] Guozheng Xiao and James L. Massey. A spectral characterization of correlation- immune combining functions. IEEE Transactions on Information Theory, IT- 34(3):569–571, 1988.

[Zha00] Muxiang Zhang. Maximum correlation analysis of nonlinear combining functions in stream ciphers. Journal of Cryptology, 13(3):301–313, 2000.

[Zie59] Neal Zierler. Linear recurring sequences. J. Soc. Indus. Appl. Math., 7:31–48, 1959.

[ZXF13] Bin Zhang, Chao Xu, and Dengguo Feng. Real Time Cryptanalysis of Blue- tooth Encryption with Condition Masking. In Advances in Cryptology - CRYPTO 2013, Part I, volume 8042 of Lecture Notes in Computer Science, pages 165–182. Springer, 2013.